So IDS/IPS is really not a replacement for a firewall and the other way around, instead, those tools must be used in conjunction to implement in-depth defense.Ī firewall can either be software-based or hardware-based and is used to help keep a network secure. To summarize the important observation from that article: “a firewall is used to allow or block traffic, whereas an IPS’s job is to determine if there is something malicious in the traffic allowed by the firewall”. I’ve divided the packet filtering abstract definition into the following components:įirst I must mention that there has already been an introduction to IPS/IDS/Firewall on InfosecInstitute, including their capabilities and differences: Intrusion Prevention System: First Line of Defense. Hereafter we’ll describe each of the components of the picture to get a better understanding of each component. We can see that we can divide abstract term packet filtering into more specific terms that are used throughout the information security field. We can present an overview of packet filtering with the following picture: If we want to send a HTTP response, which includes “Hello, my name is Santa Claus” to every HTTP request coming from IP, we could define a rule that could do that. Almost any action can be applied against a packet or a set of packets – the sky is the limit. Block a user coming from a defined source IP address, because too many packets were received in too short of a time window. If a packet is received for which there is no filtering rule defined, ask a user what to do with it. Drop only packets that are certainly unsafe – based on a set of rules. Accept only packets that are certainly safe – based on a set of rules. Based on defined filtering rules, a packet filter can do the following: There are numerous actions which can be used when a packet filter receives a packet and has filtering rules defined. What actions are taken based on the result of examination. It usually looks for the information we’ve already talked about, like source IP address, destination IP address, source port number, destination port number, etc.Ĭ. These rules define what a packet filter should look for when it receives a packet. Set of rules which define what to do with the packet. This is done with the help of filtering rules defined in the next point.ī. Examination of each packet data and headers.Įach packet is examined when it comes to the packet filter. Usually, packet filtering is also smart enough to remember previous packets that are all analyzed together to decide if a packet is considered malicious and is rejected/dropped, or if it should be passed through.Ī packet filter has to have the following capabilities:Ī. Packet filtering looks at source IP address, destination IP address, source port number, destination port number, flags and other information to decide whether some packet should be accepted or rejected. Outlined fields in the IP/TCP protocols are the most commonly used pieces of information to monitor when packet filtering is in use. Flags: URG, ACK, PSH, RST, SYN, FIN, read more on.Destination port: to which port the packet is going.Source port: from which port the packet was sent.Important pieces of the TCP protocol header are the following fields: The TCP header is outlined in the next picture – taken from : We must also take a look at another protocol that is above the IP protocol, the TCP protocol, which is used to reliably deliver all the packets that belong to the same packet stream. There are also other protocols that hold the source and destination address of each packet – like TODO. But we’re not limited to IPv4 and IPv6, which are used for routing the packets through the Internet. Of course the IP header belongs to an IPv4 protocol, but there is also IPv6, which contains the same information, except that both source and destination IP addresses are 128-bits in length. Destination IP Address : The IP address where the packet is going.Source IP Address : The IP address where the packet originated.The IP header is used for routing packets through the Internet, because it contains the most important information of all protocol headers, which include the following fields: In the picture we can see the representation of the IP header.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |